Flash has a pretty poor reputation in the security community and some
are calling for it to be
retired,
in the light of its prominence in the zero-day vulnerabilities
revealed in the Hacking Team doxing.

I’d like to take a moment to say that Flash is pretty great. There’s
a reason for its success: it’s a great web animation library and
editor, and it came early (mid 1990’s). It had competitors but you
don’t hear about them anymore; Flash won. Moreover, Flash made video
on the web possible. I actually bought a copy, back when that was a
thing.

Flash’s security story is interesting. The Flash language,
ActionScript, is a memory-safe language (at this point it is a dialect
of JavaScript). Naively, this should make Flash immune to the sorts
of vulnerabilities you see exploited by the likes of Hacking Team.
However, the compiler/interpreter for the language and some of its
libraries are themselves written in C/C++, which aren’t memory safe.
This is where (I believe) the vulnerabilities are coming from.

It’s strange to see calls for Flash to be retired without seeing any
discussion of the root problem: unsafe languages like C/C++. It would
be equally valid to say that all of the major web browsers should be
retired—like Flash, they are all written in C/C++, and like Flash,
they have all had dozens and dozens of serious vulnerabilities. But
no one is suggesting that we stop web browsing.